jQuery.parseHTML is a security hazard and will be called implicitly in a number of obvious and not so obvious situations.
Why should you care?
Hey, jQuery is great! It’s so great that Stack Overflow users will recommend it no matter what your question is. And now they have two problems. Just kidding, they will have the incredible power of jQuery:
$("#list").append('<li title="' + item.info + '">' + item.name + '</li>');
The above is locating a list in the document, creating a new list item with dynamic content and adding it to the list — all that in a single line that will still stay below the 80 columns limit. And we didn’t even lose readability in the process.
Life is great until some fool comes along and mumbles “security” (yeah, that’s me). Can you tell whether the code above is safe to be used in a web application? Right, it depends on the context. Passing HTML code to
jQuery.append will call
jQuery.parseHTML implicitly which is the moral equivalent of the infamous
innerHTML property. If you aren’t careful with the HTML code you are parsing there, this line might easily turn into a Cross-Site Scripting (XSS) vulnerability.